b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Irving A. Williamson, Vice Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n\x0c         UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                             OFFICE OF INSPECTOR GENERAL\n                                     WASHINGTON, DC 20436\n\nVIA ELECTRONIC TRANSMISSION\n\n\n\nSeptember 28, 2011                                                       OIG-JJ-017\n\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit of Continuous\nMonitoring, OIG-AR-11-15. In finalizing the report, we analyzed management\xe2\x80\x99s comments on\nour draft report and have included those comments in their entirety in Appendix A.\n\nThis report contains four recommendations for corrective action. In the next 30 days, please\nprovide me with your management decisions describing the specific actions that you will take to\nimplement each recommendation.\n\nThank you for the courtesies extended to my staff during this audit.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                               U.S. International Trade Commission\n\n                                                      Audit Report\n\n\n                                               Table of Contents\nResults of Audit ............................................................................................. 1\n\nProblem Areas ............................................................................................... 2\n   Problem Area 1: The Commission does not produce a real-time executive dashboard. 2\n\n   Problem Area 2: The Commission does not provide automated data feeds to\n   CyberScope. .................................................................................................................... 2\n\nManagement Comments and Our Analysis ............................................... 3\nScope and Methodology................................................................................ 4\n\nAppendix A: Management Comments on Draft Report ......................... A\n\n\n\n\nOIG-AR-11-15                                                   -i-\n\x0c\x0c                     U.S. International Trade Commission\n\n                                      Audit Report\n\n\n                                      Results of Audit\nHas the USITC implemented an effective and comprehensive continuous monitoring\nsystem?\n\nNo. The USITC has not implemented an effective and comprehensive continuous\nmonitoring system.\n\nContinuous monitoring describes the process of constantly collecting and auditing raw\ndata. In a typical computer network, systems generate logs to record a range of events,\nincluding network access attempts, changes in permissions, or the starting and stopping\nof programs. The sheer volume of events dictates a need for specialized software to\ncollect, store, and analyze this data. While specialized technicians have the training and\nskillsets to review this raw data, it can be indecipherable to management not involved in\nthe day-to-day operations of complex networks. If management does not have real time\naccess to what is happening on its systems--it is not managing those systems.\n\nFor this reason, the Office of Management and Budget (OMB) recently instituted a\nrequirement for Federal Agencies to perform continuous monitoring, to provide specific\nsummary data in the form of an executive dashboard, and to provide direct feeds of this\ndata to OMB\xe2\x80\x99s CyberScope portal. CyberScope is a web portal designed to collect\ngovernment-wide information security data.\n\nTo effectively implement OMB\xe2\x80\x99s continuous monitoring requirements, the Commission\nmust perform the following:\n\n   1.   Automated log management of all core infrastructure.\n   2.   Automated management of software inventory.\n   3.   Management of hardware inventory.\n   4.   Inventory external connections.\n   5.   Collect and maintain data concerning security training.\n   6.   Collect and maintain data concerning identity management and access.\n   7.   Create a real-time executive dashboard.\n   8.   Configure capable software to provide data feeds to CyberScope.\n\nWe identified two problem areas that must be resolved before the Commission can meet\ncontinuous monitoring requirements: it does not currently produce a real-time executive\ndashboard, and it does not yet have the capacity to provide data feeds to the CyberScope\nportal.\n\n\n\n\nOIG-AR-11-15                               -1-\n\x0c                      U.S. International Trade Commission\n\n                                       Audit Report\n\n\n                                    Problem Areas\n\n                                        Problem Area 1:\n\n         The Commission does not produce a real-time executive dashboard.\n\n\nThe Office of Management and Budget requires agencies to implement an executive\ndashboard that presents management with summary data in a manner that enables timely\ndecision making. This data should be presented in a form that is automatically updated,\nprovides historical data for context, and highlights areas critical to decision making.\n\nThe Commission does not currently have this capability. A prototype dashboard has been\nproduced using a Microsoft Excel spreadsheet, but this format does not have the capability to\ndisplay real-time data, and does not provide an easily viewed historical context to enable\neducated decision-making. Development of an effective executive dashboard has not been a\npriority for the Office of Enterprise Security Management, and the end result is a product that\nis not being used by the CIO.\n\nRecommendation 1:\n\n   Present the data in a real-time format, such as an automatically updating webpage.\n\nRecommendation 2:\n\n   Provide data on the dashboard using time-based graphs to allow those viewing it to\n   identify trends and gain perspective.\n\n\n\n\n                                        Problem Area 2:\n\n       The Commission does not provide automated data feeds to CyberScope.\n\n\nOMB requires agencies to provide data feeds to CyberScope for specific data including\ninventory, systems and services, hardware, software, external connections, security\ntraining, and identity management and access.\n\n\n\n\nOIG-AR-11-15                                 -2-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\nThis requires that agencies implement management software to collect this data. The\nUSITC is collecting the majority of data required by OMB, but it does not yet have the\ncapacity to provide OMB with automated data feeds. The Commission will need to\nconfigure its software to push its data to CyberScope automatically where possible, and\nwill need to provide manual data feeds for data items that cannot be automated.\n\nRecommendation 3:\n\n   Configure management software to push data to CyberScope.\n\nRecommendation 4:\n\n   Prepare manual data feeds for data items that cannot be automated.\n\n\n\n              Management Comments and Our Analysis\nOn September 27, 2011, Chairman Deanna Tanner Okun provided management\ncomments on the draft audit report. The Chairman agreed with our assessment that there\nare two problem areas related to the lack of an executive dashboard or data feeds to\nCyberscope, and recognized that the Commission can implement effective continuous\nmonitoring by implementing the recommendations detailed in the two problem areas.\nThe Chairman\xe2\x80\x99s response is provided in its entirety as Appendix A.\n\n\n\n\nOIG-AR-11-15                              -3-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\n                            Scope and Methodology\nScope:\n\n       \xe2\x80\xa2   The scope of this audit included the systems and processes related to\n           Continuous Monitoring at the USITC.\n\nMethodology:\n               a. Identify Continuous Monitoring and reporting systems in use at the\n                  USITC\n               b. Assess existing systems compliance with Office of Management and\n                  Budget Memorandum M-10-15 and NIST Special Publication 800-\n                  137, with a specific focus on the following areas:\n                       i. Executive dashboard\n                      ii. OMB FISMA reporting requirements\n                     iii. System-wide Continuous Monitoring/Automation\n                     iv. Measures and Metrics\n                      v. Finding analysis and response\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-15                               -4-\n\x0c               U.S. International Trade Commission\n\n                           Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-11-15                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'